Home / Privacy Resources / Article Search / PrivaTalk - November 2002

PrivaTalk - November 2002

PrivaTalk

November 2002
Volume 2
Issue 11

Safeway Introduces New E-Marketing Techniques

Grocery retailer Safeway is testing new in-store shopping cart technology that traces shoppers’ steps through its stores and flashes personalized ads at them while they are shopping.

The move underscores a growing trend. As more technology permeates the brick-and-mortar retail world, the kind of sophisticated, some may say intrusive, marketing that’s common in the online world could become the norm in supermarkets and other stores.

The test sites for the system, which incorporates data on shoppers spending habits, are two stores in northern California. Shopping carts in those stores have been equipped with a touch screen and scanner, where shoppers are invited to swipe their Safeway Club Cards “loyalty” cards that keep track of everything their holders buy in exchange for discounts on merchandise.

As customers stroll the aisles of the store, the screen flashes promotions based on their purchasing histories. For instance, if a shopper is passing the detergent shelves and hasn’t stocked up in while, the cart could flash a coupon for his or her preferred brand.

On the surface, Safeway says it is interested in the technology as a tool for boosting convenience for customers, but the data gathered by stores such as Safeway represents a treasure trove of consumer buying habits, which may ultimately allow retailers to boost profits by better tailoring their inventories to customers’ desires. The data can also help retailers squeeze more efficiency out of their supply chain by ensuring that they are stocking up on inventory that consumers want to buy.

According to analysts, retailers in general don’t make the most effective use of customer-specific data they’ve collected with frequent-shopper cards. The specialized data-warehousing and data-mining systems needed to sift through that data are expensive and complex, and many retailers are reluctant to monitor purchases more closely since they don't want to raise privacy fears among consumers.

Safeway’s pilot test, however, may signal that retailers are quietly moving to make more use of such data. Traditional grocery chains may be experimenting with such programs in response to rising competitive threats, namely a multiplying number of superstores with grocery sections.

Marketing tools like “smart” shopping carts could backfire, however, if people aren’t given the choice not to use them. Customers could get annoyed, for instance, if the cart beeped at them until they swiped their card.

Safeway has no plans yet to introduce the high-tech shopping carts to any of its other 1,650 stores in North America.

Canadian Privacy Commissioner Releases Decisions on Consent

Canada’s Privacy Commissioner has released six new decisions which examine standards for providing consumers with meaningful consent. The cases were launched in October of last year by the Public Interest Advocacy Centre (PIAC) in an effort to shed light on the fact that when it comes to secondary marketing purposes, marketers and the marketed differ on the issue of what form of consent is appropriate. PIAC complained that these companies were in breach of the legal requirement to obtain informed consent. PIAC emphasized that companies fall short of their obligations to bring their practices, as well as the option of withdrawing consent, to the attention of customers. The Commissioner ruled in favour of Bell Canada and Scotia Bank, but was critical of MBNA Canada’s practices regarding use of customer information for secondary purposes, and found that Bell Mobility, Bell ExpressVu, and Loyalty Management Group (operating the AIR MILES program) were all in violation of the federal law.

In some cases (e.g., Bell Canada), the Commissioner found that the company did not use or share customer data with affiliates. One company, Scotiabank, was found to have an “exemplary” policy of bringing optional secondary purposes to the attention of customers, and guiding customers through the opt-out process. In favour of Scotiabank’s practices, the Commissioner stated, “the bank does not rely upon fine print or documents not immediately at hand…The bank’s policy is very much akin to an opt-in form of consent favoured by the complainant.”

Bell Mobility and Bell ExpressVu were found to rely wholly upon their parent company’s view of implied consent (that is, by using the companies’ products and services, customers give implied consent). In so doing, the Commissioner found that it is not reasonable to expect customers to be aware of and to consent to general policy documents that the companies do not bring to their attention The companies neither inform the customer about their intention to disclose personal information to each other, nor do they notify the customer of the opportunity and method to opt-out of such disclosure.

The Commissioner found that Loyalty Management Group had made a reasonable effort to inform customers of the secondary purposes of marketing through its written application form, but that customers applying by telephone are not receiving the same information. The telephone script for example does not indicate that marketing purposes are optional and that consent to such purposes may be withdrawn.

In his findings on Bell Mobility, the Commissioner stated that “where an organization intends to disclose personal information that the individual is likely to consider sensitive, such as credit records and complaint records”, the individual should “be consulted directly and positively”, through “positive or opt-in consent rather than the negative option”.

The cases send a clear message to businesses that they can’t simply deem customer consent to the use of personal information for secondary purposes, on the basis of hidden contract terms or website postings. In order to meet legal standards, consent must be obtained in a manner that ensures that it is informed, and intentional.

The Commissioner made it clear that this means bringing the purposes to the attention of the individual customer during the application process, rather than relying upon generally available policy documents. It means stating the purposes in clear, plain language and in sufficient detail for the ordinary consumer to appreciate what it is they are consenting to. And finally, it means giving consumers an easy, inexpensive way to opt-out of secondary purposes.
See http://www.privcom.gc.ca/cf-dc/index2_e.asp for the Commissioner’s Summary Findings for these cases.

A Quebec Law that speaks to the Protection of Personal Information

The new Quebec Act to Establish a Legal Framework for Information Technology is the first in Canada to explicitly equate the value of an electronic document and signature with its written counterpart. A digitally signed contract, for example, could carry the same legal weight under the Act as a printed contract delivered in person or by postal mail. Though it has been in effect since November of last year, the details of the law are not known to a lot of Quebec enterprises.

The law addresses a number of issues surrounding e-commerce, but its effect on the daily operations of e-commerce merchants is more of a side-effect. In the rest of Canada electronic commerce legislation is really aimed at fostering electronic commerce, however with this law, the objective of ensuring electronic documents have the same value as other documents has resulted in a unique feature of the law – it mandates the secure transmission of confidential data over the Internet. Although it may be implied, there isn’t an outright obligation in other laws to ensure the protection of privileged information in electronic communication.

The legislation also has some major privacy implications. Section 44 states that anyone gathering biometrics information can only do so with the express consent of the person they’re getting the information from. Where consent is obtained, only the minimum number of characteristics or measurements needed to link the person to an act may be recorded for identification purposes. The Act also forbids the use of such information for purposes other than that to which individuals consent.

The creation of a database of biometric characteristics and measurements must be disclosed beforehand to the Commission d'accès à l'information. As well, the existence of such a database, whether or not it is in service, must be disclosed to the Commission. The Commission may make orders determining how such databases are to be set up, used, consulted, released and retained, and how measurements or characteristics recorded for personal identification purposes are to be archived or destroyed.

Many of the principles applicable to collection and use of biometric information are similar to those found under current federal privacy legislation for the private sector and Quebec privacy legislation. However, certain principles, such as the requirement for express consent before collecting biometrics information, and database specifications, are more specific and impose greater obligations on parties seeking to use biometric information than current privacy legislation.

The use, as proof of one’s identity or the identity of another person, of a technology-based document specifying a personal characteristic or a particular fact requires that the integrity of the document be preserved. Such a document must, in addition, be protected from interception if its storage or transmission on a communication network makes it possible to usurp the identity of the person referred to in the document, and its consultation must be logged.

The ability of this piece of Quebec legislation to increase security of electronic transmissions and protection for biometrics will largely depend on how well the law is enforced by the Commission d'accès à l'information and the Quebec government.

Ireland’s New Data Protection Law in Light of the European Directive

According to Dublin-based lawyers, the draft version of the proposed data protection law in Ireland would not provide a precise framework allowing Irish businesses to comply with the law simply, efficiently and cost effectively.

The consideration of the Irish bill comes four years after the EU’s Data Protection Directive came into force. All EU Member States, except Ireland and Luxembourg, have implemented the directive into national law. This is set to change with both countries expected to pass their own version of the legislation by year’s end.

The proposed amendments in the looming Irish law include the consolidation of all data protection laws into a single piece of legislation that would be simpler and more accessible. This would include repealing Ireland’s 1988 Data Protection Act.

Another issue lobbied for by the Irish legal community includes the removal of the clause that requires “explicit consent” for processing of all personal information. Using such language goes further than that required under EU law and would create substantial problems for business since it is impractical to get explicit consent in all cases.

The lawyers also claim that there should be a specific segment of the bill that allows for the routine processing of employee information and that any new Irish data protection laws must clarify whether an “opt in” or “opt out” policy is required for direct marketing.

Notably, many of the issues that the Irish lawyers are highlighting are similar to concerns that other nations and officials have expressed. The UK, along with Finland, Austria and Sweden, have sent a position paper to the European Commission asking for changes to the EU Data Protection Directive. The countries want to ensure effective protection for personal data but without unnecessarily restricting the processing needed to deliver services.

Earlier this month, the European Data Protection Ombudsman wrote to the European Commission President that Europe’s data protection rules are being misinterpreted. He said in a statement that the rules, most of which are defined by the 1998 directive, need to be clarified because, without realizing it, corporations are abusing the rights of people to see data about themselves (see http://www.euro-ombudsman.eu.int/letters/en/default.htm). These comments came after a conference on data protection in Brussels in late September where a data protection survey of more than 9,000 EU citizens was published. In that survey most respondents said that they felt the level of data protection for individuals in the EU was inadequate.

Yet, U.S. companies have a vastly different attitude about Europe’s data protection laws. A group called the Global Privacy Alliance, representing mainly US companies, attended the Brussels conference, saying that Europe’s relatively stringent data protection laws made it tough for US firms to operate effectively in Europe.

International Study on Privacy Laws and Trends

Privacy International and the Electronic Privacy Information Center recently released a report entitled “Privacy and Human Rights: An International Survey of Privacy Law and Developments”. The report identifies four trends since the events of September 11, 2001: the swift erosion of pro-privacy laws; greater data sharing among corporations, police and spy agencies; greater eavesdropping; and sharply increased interest in people-tracking technologies, such as face-recognition systems and national ID cards. The most notable legislation in the U.S. is the U.S.A. Patriot Act, signed by President Bush on October 26, 2001. It expands all forms of electronic surveillance, permits increased information sharing between the CIA and federal police, and encourages Internet providers to work closely with police.

The survey examines a wide range of privacy issues including, data protection, telephone tapping, genetic databases, ID systems and freedom of information laws.

The report finds that there is a worldwide recognition of privacy as a fundamental human right. Many countries around the world are enacting comprehenisve data protection law to safeguard individual privacy increase. However at the same time, privacy is increasingly being undermined by technical advances and the demands of intelligence and law enforcement agencies for increased surveillance powers. This has increased since September 11th, 2001.

The study also indicates that there is a strong need for improved oversight and stricter enforcement of current laws to ensure that legal protections are not ignored as threats to personal privacy increase.

The report may be ordered for $25.00 through EPIC at Microsoft Settles FTC Charges Alleging False Security and Privacy Promises

Microsoft Corporation agreed this past summer to settle Federal Trade Commission charges regarding the privacy and security of personal information collected from consumers through its “Passport” Web services. As part of the settlement, Microsoft agreed to implement a comprehensive information security program for Passport and similar services.

Microsoft, a provider of software, services, and Internet technologies for personal and business computing, operates three related Internet services: Passport Single Sign-In; Passport Express Purchase; and Kids Passport. Passport collects personal information from consumers and allows them to sign in at any participating website with a single name and password. Passport Wallet collects and stores consumers’ credit card numbers, and billing and shipping addresses, and enables consumers to use the stored information when making purchases at participating Web sites. Kids Passport allows parents to create Passport accounts for their children that can limit the collection of personal information by participating Web sites.

Microsoft’s Passport privacy policies included statements such as, “Passport achieves a high level of Web Security by using technologies and systems designed to prevent unauthorized access to your personal information” and “Your Passport is protected by powerful online security and a strict privacy policy.” The Kids Passport privacy policy included statements such as, “Microsoft Kids Passport allows parents to consent to the collection, use and sharing of their children’s information with Passport participating sites. . . . You can choose to allow Passport to share all of the information in your child’s Passport profile with a participating site or service, or you can limit the information shared to just a unique identifier or age range. . ..”.

The Commission initiated its investigation of the Passport services following a July 2001 complaint from a coalition of consumer groups led by the Electronic Privacy Information Center (EPIC).

According to the Commission’s report, Microsoft falsely represented that:

· It employs reasonable and appropriate measures under the circumstances to maintain and protect the privacy and confidentiality of consumers’ personal information collected through its Passport and Passport Wallet services, including credit card numbers and billing information stored in Passport Wallet;

· Purchases made with Passport Wallet are generally safer or more secure than purchases made at the same site without Passport Wallet when, in fact, most consumers received identical security at those sites regardless of whether they used Passport Wallet to complete their transactions;

· Passport did not collect any personally identifiable information other than that described in its privacy policy when, in fact, Passport collected and held, for a limited time, a personally identifiable sign-in history for each user; and

· The Kids Passport program provided parents control over what information participating Web sites could collect from their children.

The order issued by the FTC prohibits any misrepresentation of information practices in connection with Passport and other similar services. It also requires Microsoft to implement and maintain a comprehensive information security program. In addition, Microsoft must have its security program certified as meeting or exceeding the standards in the order by an independent professional every two years.

Microsoft has now rolled out an upgrade to its much-used but oft-criticized Passport online authentication system, in part designed to overcome privacy concerns. Passport is Microsoft’s public identity play. It is used to sign in users to its core on-line services, such as MSN.com and Hotmail.com, as well as at some partner sites.